Service Modification (66531bc6-a509-4868-8314-4d599e91d222)

Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.

*Data Collection Measures: *

Windows Event Logs
- Event ID 7040 - Detects modifications to the startup behavior of a service.
- Event ID 7045 - Can capture changes made to existing services.
- Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.
- Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.
Sysmon Logs
- Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., HKLM\SYSTEM\CurrentControlSet\Services\).
- Sysmon Event ID 1 - Can track execution of sc.exe or PowerShell Set-Service.
PowerShell Logging
- Event ID 4104 (Script Block Logging) - Captures execution of commands like Set-Service, New-Service, or sc config.
- Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:
  - sc config <service_name> start= auto
  - sc qc <service_name>
Linux/macOS Collection Methods
- Systemd Journals (journalctl -u <service_name>) Tracks modifications to systemd service configurations.
- Daemon Logs (/var/log/syslog, /var/log/messages, /var/log/daemon.log) Captures changes to service state and execution parameters.
- AuditD Rules for Service Modification
  - Monitor modifications to /etc/systemd/system/ for new or altered service unit files: auditctl -w /etc/systemd/system/ -p wa -k service_modification
  - Track execution of systemctl or service commands: auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod
- OSQuery for Linux/macOS Monitoring
  - Query modified services using OSQuery’s processes or system_info tables: SELECT * FROM systemd_units WHERE state != 'running';
- macOS Launch Daemon/Agent Modification
  - Monitor for changes in:
    - /Library/LaunchDaemons/
    - /Library/LaunchAgents/
  - Track modifications to .plist files indicating persistence attempts.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Service Modification (66531bc6-a509-4868-8314-4d599e91d222)	mitre-data-component	1
Service Modification (66531bc6-a509-4868-8314-4d599e91d222)	mitre-data-component	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	1
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	Service Modification (66531bc6-a509-4868-8314-4d599e91d222)	mitre-data-component	1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Service Modification (66531bc6-a509-4868-8314-4d599e91d222)	mitre-data-component	1
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	Service Modification (66531bc6-a509-4868-8314-4d599e91d222)	mitre-data-component	1
Service Modification (66531bc6-a509-4868-8314-4d599e91d222)	mitre-data-component	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	2
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2